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Abstract. Provable entanglement has been shown to be a necessary precondition for unconditionally secure 
key generation in the context of quantum cryptographic protocols. We estimate the maximal threshold 
disturbance up to which the two legitimate users can prove the presence of quantum correlations in their 
data, in the context of the four- and six-state quantum key-distribution protocols, under the assumption of 
coherent attacks. Moreover, we investigate the conditions under which an eavesdropper can saturate these 
bounds, by means of incoherent and two-qubit coherent attacks. A direct connection between entanglement 
distillation and classical advantage distillation is also presented. 

PACS. 03.67.Dd Quantum Cryptography - 03.67.Hk Quantum Communication 



1 Introduction 

Quantum key-distribution (QKD) protocols exploit qua- 
ntum correlations in order to establish a secret key be- 
tween two legitimate users (Alice and Bob). In a typi- 
cal quantum cryptographic scheme, after the transmission 
stage Alice and Bob must process their raw key, in or- 
der to end up with identical random keys about which an 
adversary (Eve) has negligible information. In principle, 
classical as well as quantum algorithms (distillation pro- 
tocols) can be used for this post-processing 

In any case, it is necessary for Alice and Bob to 
estimate the error rate in their sifted key, for the purpose 
of detecting the presence of Eve on the channel. 

An important quantity for any QKD protocol is the 
threshold disturbance i.e., the maximal disturbance or 
quantum bit error rate (QBER) which can be tolerated 
by Alice and Bob for being capable of producing a secret 
key. This threshold disturbance quantifies the robustness 
of the QKD scheme under consideration against a spe- 
cific eavesdropping strategy, and depends on the algorithm 
that Alice and Bob are using for post-processing their raw 
key. Up to date, the robustness of the four-state (BB84) 
[TT] and the six-state ^21 QKD protocols has been mainly 
discussed on the basis of the so-called Csiszar-Korner cri- 
terion |H] and/or incoherent attacks, and various bounds 



over, it is also known that a necessary precondition for 
unconditionally secure QKD is that the correlations es- 
tablished between Alice and Bob during the state distri- 
bution cannot be explained in the framework of separable 
states (provable entanglement) 22,23 . Clearly, the thresh- 



Send offprint requests to: 



old disturbance up to which this precondition is satisfied 
under the assumption of general coherent (joint) attacks, 
quantifies the ultimate robustness bound of a particular 
QKD protocol. 

In a recent paper |24| . we proved that for QKD pro- 
tocols using two mutually unbiased bases, this threshold 
disturbance for provable entanglement (robustness bound) 
scales with the dimension d of the information carriers as 
(d-l)/2d. Thus for the BB84 QKD protocol (d = 2) [TTJ , 
Alice and Bob always share provable entanglement for es- 
timated disturbances below 1/4. Extending our studies, 
in this paper it is shown that the corresponding threshold 
disturbance for entanglement distillation in the context of 
the six-state QKD protocol ^} is 1/3. 

Our studies show that even the most powerful eaves- 
dropping attacks are not able to disentangle the two legit- 
imate users for estimated disturbances below these bor- 
ders. In other words, Eve is not able to decrease the ro- 
bustness of the protocols. The natural question arises, 
however, is whether and at which cost these disentan- 
glement thresholds can be attained in the framework of 
eavesdropping attacks that maximize Eve's properties (in- 
formation gain and/or probability of success in guessing). 
In this paper we address this open question in the context 
of incoherent as well as two-qubit coherent attacks. In par- 
ticular, we present evidence that in the limit of many pairs, 
coherent attacks might be able to disentangle the two hon- 
est parties at the lowest threshold disturbance while si- 
multaneously maximizing Eve's probability of success in 
guessing correctly the transmitted signal. 

This paper is organized as follows : In Section [5] we 
briefly describe the prepare-and-measure as well as the 
associated entanglement-based versions of the BB84 and 
the six-state QKD protocols. The corresponding thresh- 
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old disturbances for provable entanglement (robustness 
bounds) are derived in Sectional while in Section^Jwe in- 
vestigate the cost at which an eavesdropper can saturate 
these bounds. A link between entanglement distillation 
and classical advantage distillation protocols is discussed 
in Section |5j 



2 Basic facts about BB84 and six-state 
protocols 

For the sake of completeness, in this section we briefly 
summarize basic facts about the two qubit-based QKD 
protocols especially in connection with their verification- 
test stage. 

2.1 Prepare-and-measure schemes 

In the prepare-and-measure BB84 protocol Alice sends 
a sequence of qubits to Bob each of which is randomly 
prepared in one of the basis states { |0), |1)} or { |0), |1)} 
which are eigenstates of two maximally conjugated physi- 
cal variables, namely the two Pauli spin operators Z and 
X. The eigenstates of Z, i.e. {|0), |1)}, and of X, i.e. 
{ |0), |1)}, are related by the Hadamard transformation 



n = 
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x 2 ( 1 



■1 



(1) 



i.e. |i) = J2j %ij li) (hi e {0' !})• I n tne computational 
basis { |0), |1)}, the Pauli spin operators are represented 
by the matrices 
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Bob measures the received qubits randomly in one of the 
two bases. After the transmission stage, Alice and Bob ap- 
ply a random permutation of their data and publicly dis- 
cuss the bases chosen, discarding all the bits where they 
have selected different bases. Subsequently, they randomly 
select a number of the bits from the remaining random 
key (sifted key) and determine their error probability or 
QBER. If, as a result of a noisy quantum channel or of an 
eavesdropper, the estimated QBER is too high the pro- 
tocol is aborted. Otherwise, Alice and Bob perform error 
correction and privacy amplification with one- or two-way 
classical communication, in order to obtain a smaller num- 
ber of secret and perfectly correlated random bits PEE 

meg. 

The six-state prepare-and-measure scheme is quite sim- 
ilar to the BB84 (four-state) scheme More precisely, 
Alice and Bob use at random three bases namely, the two 
bases used in the BB84 plus an additional one { |0), |1)} 
which corresponds to the y Pauli operator. In analogy to 
BB84, the three bases are related (up to a global phase) 
via the transformation 



M 1 1 



(3) 



£. Tij |i) and |I) = Y,i T?i li) with i,j S {0, 1} 
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2.2 Entanglement-based schemes 

It has been shown that, from the point of view of an 
arbitrarily powerful eavesdropper, each one of these two 
prepare-and-measure schemes is equivalent to an entangle- 
ment-based QKD protocol |2l)l26,27,28.29,3 01l3"T| . These 
latter forms of the protocols offer advantages, in particular 
with respect to questions concerning their unconditional 
security, and work as follows: Alice prepares each of, say 
2n, entangled-qubit pairs in a particular Bell state j.'i2j . say 
|* _ ) = |0 a 1b) - |1a0b)) (where the subscripts A, B 
refer to Alice and Bob, respectively). This state is invari- 
ant under any unitary transformation of the form Ua®Ub ■ 
Alice keeps half of each pair and submits the other half 
to Bob after having applied a random unitary transforma- 
tion chosen either from the set {1, Tt} (two-basis protocol) 
or from the set {1,T,T 2 } (three-basis protocol). 

At the end of the transmission stage, Alice announces 
publicly the transformations she applied on the transmit- 
ted qubits and Bob reverses all of them. At this stage, 
in an ideal scenario Alice and Bob would share 2n pairs 
in the state \ty~)® 2n . Due to channel noise and the pres- 
ence of a possible eavesdropper, however, at the end of the 
transmission stage all the 2n entangled-qubit pairs will be 
corrupted. In fact, they will be entangled among them- 
selves as well as with Eve's probe. Thus, the next step for 
Alice and Bob is to estimate the number of singlets among 
the 2n shared pairs (alternatively to estimate the fraction 
of pairs which are in error). To this end, they apply a 
verification test which proceeds as follows: Firstly, Alice 
and Bob permute randomly all the pairs, distributing thus 
any influence of the channel noise and the eavesdropper 
equally among all the pairs |4*ll27| . Afterwards, they ran- 
domly select a number (say n c ) of the pairs as check pairs, 
they measure each one of them separately along a com- 
mon basis and they publicly compare their outcomes. The 
influence of channel noise or of an eavesdropper is thus 
quantified by the average estimated QBER of the check 
pairs while, assuming that the check pairs constitute a 
fair sample |33|. the estimated QBER applies also to the 
remaining, yet unmeasured, 2n — n c pairs. 

After the verification test all the check pairs are dis- 
missed and, if the QBER is too high the protocol is aborted. 
Otherwise, Alice and Bob apply an appropriate entan- 
glement purification protocol (EPP) with classical one- 
or two-way communication (HUH] on the remaining 2n — 
n c pairs, in order to distill a smaller number of almost 
pure entangled-qubit pairs. Finally, measuring these al- 
most perfectly entangled-qubit pairs in a common basis, 
Alice and Bob obtain a secret random key, about which 
an adversary has negligible information. 



2.3 Verification test and confidence level 

In closing this introductory part of the paper let us recall 
some known basic facts about the verification test which 
are necessary for the subsequent discussion. The reasons 
for which such a classical random sampling procedure ap- 
plies to a quantum scenario have been thoroughly dis- 
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cussed in the literature 4 ,26 27 28 29 ,30 ,31 . Briefly, the 
commuting-observables idea allows us to reduce any quan- 
tum eavesdropping attack (even a joint one) to a classical 
probabilistic cheating strategy, for which classical proba- 
bility theory can be safely applied 26,29 . Furthermore, 
Eve does not know in advance which pairs will be used for 
quality checks and which pairs will contribute to the fi- 
nal key. Thus she is not able to treat them differently and 
the check pairs constitute a fair classical random sam- 
ple of all the pairs |3|126I27| • By invoking the verification 
test therefore the two legitimate users can be confident 
that (with high probability) the estimated error rate is 
also the error rate they would have measured if they were 
able to perform a Bell measurement projecting their pairs 
onto a 2n-pair Bell basis 26,29,30 . The confidence level 
is determined by classical random sampling theory |34) . 
In particular, the conditional probability that the verifi- 
cation test is passed given that Alice and Bob underesti- 
mate the error rate in their pairs is exponentially small 
in the sample-size n c (i.e, ~ 2~" c ) |26II29| . In other words 
the probability that Eve cheats successfully can be made 
arbitrarily small by choosing a sufficiently large sample. 



3 Provable entanglement and threshold 
disturbances 

According to a recent observation, a necessary precon- 
dition for secret key distillation is that the correlations 
established between Alice and Bob during the state dis- 
tribution cannot be explained by a separable state |221 
I23| . Throughout this work, we consider that Alice and 
Bob focus on the sifted key during the post-processing 
(i.e., they discard immediately all the polarization data for 
which they have used different bases) and that they treat 
each pair independently. Thus, according to the aforemen- 
tioned precondition, given a particular value of the es- 
timated QBER (observable), the task of Alice and Bob 
is to infer whether they share provable entanglement or 
not. Thereby, entanglement is considered to be provable 
if Alice's and Bob's correlations cannot be explained by 
a separable state within the framework of the protocols 
(including post-processing) and observables under consid- 
eration. 

Recently |2H, for the same post-processing, we esti- 
mated the threshold disturbance for provable entangle- 
ment in the context of two-basis qudit-based QKD pro- 
tocols under the assumption of joint eavesdropping at- 
tacks. In particular, we showed that for estimated distur- 
bances below (d — l)/2d (where d is the size of the in- 
formation carriers), Alice and Bob can be confident that 
they share provable entanglement with probability expo- 
nentially close to one (see Section l2~3*|) . In this section, for 
the sake of completeness, we briefly recapitulate the main 
steps of our proof adapted to the BB84 scheme. Subse- 
quently, along the same lines, we estimate the correspond- 
ing threshold disturbance for the six-state QKD scheme. 
For the sake of consistency, we will adopt the entangle- 
ment-based versions of the protocols. We would like to 



stress, however, that the estimated threshold disturbances 
characterize both versions of the protocols. 

3.1 BB84 protocol 

Given the unitarity and hermiticity of Tt, the average dis- 
turbance (average error probability per qubit pair), that 
Alice and Bob estimate during the verification test is given 

by mmEzi 

^ = ^EE ^A, B {[H b AB V H b AB \. t PAB ), (4) 

c 6=0,1 j«;i=l 

with the projector |35j 

V U = \IaM(Ia,Ib\ = \<£ + )(<£ + \ + |*-)<*-|,(5) 
;=o,i 

and Tt b AB = Ti-'X ® TC B . The last equality in (J5J indicates 
that the verification test is nothing more than a quality- 
check test of the fidelity of the 2n pairs with respect to 

p AB in Eq. J3J denotes the reduced density operator of 
Alice and Bob for all 2n pairs while the index ji indi- 
cates that the corresponding physical observable refers to 
the ji-th randomly selected qubit pair. The powers of the 
Hadamard transformations H h , with b G {0, 1}, reflect the 
fact that the errors in the sifted key originate from mea- 
surements in both complementary bases which have been 
selected randomly by Alice and Bob with equal probabil- 
ities. 

As we mentioned in Section l2.3l one of the crucial cor- 
nerstones for the unconditional security of the protocol is 
that Eve does not know in advance which pairs will be 
used for quality checks and which pairs will contribute 
to the final key. Thus she is not able to treat them dif- 
ferently and the check pairs constitute a classical ran- 
dom sample of all the pairs (4*112611271128) . To ensure such 
a homogenization, Alice and Bob permute all of their 
pairs randomly before the verification stage. In view of 
this homogenization, the eavesdropping attack (although 
a joint one) becomes symmetric on all the pairs [4,27 
i.e., p^ B = p^ B = •■■ = p AB . Here, the reduced den- 
sity operator of Alice's and Bob' s fc-th pair is denoted by 

Pab ~ r ^-AB {PAB ) and Tr{^ indicates the tracing (aver- 
aging) procedure over all the qubit pairs except the k-th 
one. Accordingly, the average estimated disturbance (@J 
reads [22] 

D = \ E Tr ^{ «s> n h B ) v {u\ ® n B )\JH) 

b=0 

(6) 

where Tr^ 1 ^ denotes the tracing procedure over the j\- 
th qubit pair of Alice and Bob. So, an arbitrary eaves- 
dropping attack which gives rise to a particular reduced 

(71) .... . 
single-pair state p AB is indistinguishable, from the point 



4 



G. M. Nikolopoulos el at: Provable entanglement and information cost for qubit-based QKD protocols 



of view of the estimated average disturbance, from a cor- 
responding collective (individual) attack which results in 

a decorrelated 2n-pair state of the form Pab- 

Our purpose now is to estimate the threshold distur- 
bance D t h such that for any estimated D < £> t h Alice and 
Bob can be confident that their correlations cannot have 
emerged from a separable state. To this end let us explore 
the symmetries underlying the observable under consid- 
eration i.e., the estimated average QBER. According to 
Eqs. © and J^J, D is invariant under the transformations 



(l,b) 
(l,b) 



(i©al,&), 
(l,b® 2 1), 



(7) 



where ©2 denotes addition modulo 2. This invariance im- 
plies that the reduced density operators pj^ B and 

Pab =1 E U(h)U(g)p%>UQj)iU{h? (8) 



8 

give rise to the same observed value of the QBER |24| . 
The unitary and hermitian operators appearing in Eq. 
|5| form unitary representations of two discrete Abelian 
groups Qi = {31,32,33,54} and Q 2 = {hi,h 2 }, and are 
given by 

U{ 91 ) — Xa ® Xb, U{g 2 ) = Z A ® Z B , 

u(g 3 ) = -y A ® y B , u( gi ) = u ® i B , (9) 



and 



u(h 1 ) = n A ^n B , u(h 2 



(10) 



Moreover, invariance of the average QBER under the sym- 
metry transformations of Eq. (JJJ induces invariance of 

(f^jl under both discrete Abelian groups Gi and Q 2 . 

The key point is now that p^ B and p^ B differ by local 
unitary operations and convex summation. Thus the den- 

sity operator p^ B is entangled if p^ B is entangled. Our 
main problem of determining the values of the QBER for 
which Alice and Bob share provable entanglement can be 
reduced therefore to the estimation of the values of D for 
which the most general two-qubit state p^ B (which is in- 
variant under both Abelian discrete groups) is entangled. 

The hermitian operators U(gi) and U{g 2 ) of the group 
Qi constitute already a complete set of commuting oper- 
ators in the Hilbert space of two qubits and the corre- 
sponding eigenstates are the Bell states [32]. Thus, the 
most general two-qubit state which is invariant under the 
Abelian group Q\ is given by 



-An) 
Pab 



= A 00 |3» + >($ + | +A10 |$-)<*- 1 

+ Aoi|* + )<# + | +Aii|tf-)<¥-|, (11) 



with A Q/ 3 > and 



E • 

a,/3G{0,l} 



vct/3 



(12) 



while additional invariance under the discrete group Q 2 
implies that 



A01 



Ai 



(13) 



Thus, the state l|ll(l with the constraint l|13|l is the most 
general two-qubit state invariant under the Abelian groups 
Qi and Q 2 . 

For later convenience let us rewrite the state p^ B in 
the computational basis, i.e. 



Pab 



(D G' 

F H 

H F 

\G D, 



(14) 



with F = 1 — D denoting the so-called fidelity, i.e. the 
total probability for Bob to receive the submitted signal 
undisturbed. Furthermore, the remaining parameters are 
given by 



D — Aoo 
G = Aoo 



A10, 
A10, 



F — A01 + An, 
H = A01 — An, 



(15) 



with D denoting the disturbance (QBER). In general, the 
parameters G and H can be expressed in terms of the 
overlaps between different states of Eve's probe and are 
thus intimately connected to the eavesdropping strategy. 
The key point for the subsequent discussion, is that for the 
estimation of the threshold disturbance it is not required 
to know the explicit form of the "macroscopic" parameters 
G and H and their detailed dependences on Eve's attack. 
More precisely, using Eqs. (|15f) . the constraints 1)1 2|l and 
(fP3fl read 



F + D = 1 



F + H = D - G 



(16) 



(17) 



respectively, while non-negativity of the eigenvalues A Qj a 
implies 



D>\G\, 



F> \H\. 



(18) 



(19) 



The possible values of the estimated disturbance for 
which p^B ^ s entangled can be estimated by means of the 
fully- entangled fraction (see [23) or the Peres-Horodecki 

criterion [20]. Using the latter, we have that pj} B is sepa- 
rable if and only if the inequalities 



D>\H\, 



F>\G\, 



(20) 



(21) 



are satisfied. As depicted in Fig. ^ these last inequalities 
combined with inequalities l(TH|) . JTDJ and Eqs. (fTrJ|l . (fT7|l 

imply that the symmetrized state p^ B is entangled if and 
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Fig. 1. BB84 protocol: Region of the independent parameters 
D(QBER) and H for which the two-qubit state pj^ is separa- 
ble (shaded region). The various constraints that these param- 
eters satisfy are indicated by straight dotted lines. Specifically, 
(a) Eq. (UJl; (b) Eq. (GU; (c) Eqs. O and JTHl, JT^; (d) Eqs. 
12111 and 1161 . 1171 1. The protocol operates in the region which 
is defined by the solid lines. 



anly if the estimated QBER is below 1/4 or above 3/4. 

Given, however, that the states and are related 
via local operations and convex summation, the original 

single-pair state p^g must also be entangled in the same 
regime of parameters. Moreover, the probability that the 
QBER has been underestimated during the verification 
test is exponentially small in n c (see Section 12.31 and re- 
lated references). Hence we may conclude that, whenever 
Alice and Bob detect an average QBER below 1/4 (or 
above 3/4), they can be confident that they share en- 
tanglement with probability exponentially close to one 
(~ 1 — 2~™ c ), and their correlations cannot have origi- 
nated from a separable state. The necessary precondition 
for secret-key distillation is therefore fulfilled for estimated 
disturbances within these intervals. 

On the contrary, for 1/4 < D < 3/4 we have that 
Pab is separable. Of course, this does not necessarily im- 
ply that p^ig is also separable. But it does indicate that 
in this regime of parameters, Alice's and Bob's correla- 
tions within the framework of the BB84 protocol can be 
explained by a separable state, namely by p^B ■ So, ac- 
cording to 22,23], this implies that Alice and Bob can- 
not extract a secret key and must abort the protocol. 
From now on we focus on the regime of practical interest 
(F > D), where the lowest possible threshold disturbance 
(D th = 1/4) is attained for G = H = -1/4. 



3.2 Six-state protocol 



The threshold disturbances for the six-state protocol can 
be determined in the same way. In this case, however, all 
three bases are used with the same probabilities and thus 



the average estimated disturbance (QBER) reads 

b=0 

(22) 

where the unitary (but not hermitian) transformation T 
is defined in Eq. J2J. 

In analogy to the BB84 protocol, exploiting the sym- 
metries underlying Eq. I|22|) one finds that D is invariant 
under the transformations 

(!,&)-(/ 02 1,6), 
(Z,6) - (Z,6 9 3 l), 

(1,6) -(1,6 93 2), (23) 

with ©3 denoting addition modulo 3. Furthermore, the 
invariance of D under the transformations (|23|l implies 

that the reduced density operators and 

Pab=^ E U(t)U(g)p ( i^U(gYU(ty (24) 
geSi,teg 3 

yield the same average QBER. This latter state is invari- 
ant under the discrete Abelian groups Q\ [with elements 
given in Eq. @] and = {^1^2,^3} with elements 

Ufa) =T A ®T Bl 
U(t 2 ) = T2®Tl 

Ufa) = 1a® 1b. (25) 

The most general two-qubit state invariant under the Abelian 
groups Gi and G3 is now of the form (|11J) . with 

Aoo = ^10 = Aoi- (26) 

Thus, in the computational basis p^J is given by (|14fl 
with 

D = 2A o, F — An + A o, 

G = 0, H = \ 0Q -\ n . (27) 

Accordingly, condition l|17f) now reads 

F + H = D, (28) 

while non-negativity of the eigenvalues \ a p implies in- 
equality l|19f) only. Finally, applying the Peres-Horodecki 

criterion one finds that pj}2 is separable if and only if 
inequality i(2Tj|) is satisfied. 

As a consequence of Eqs. Ijl6(l . Ij28f) and G — 0, there is 
only one macroscopic independent parameter in our prob- 
lem, say H, while combining inequalities (|19(l and (|20J) 
with Eqs. JEJ and we obtain that the reduced den- 
sity operator p^g is separable iff 1/3 < D < 2/3 (Fig. 
|2J. That is, no matter how powerful the eavesdropper is, 
Alice and Bob share always provable entanglement for es- 
timated disturbances smaller than 1/3. The lowest disen- 
tanglement border for the six-state scheme (D t h = 1/3) 
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the literature 



most of these studies, 




-1.0 -0.75 -0.5 -0.25 0.25 0.5 0.75 1.0 H 
Fig. 2. Six-state protocol: Region of the parameters 
D(QBER) and H for which the two-qubit state pj^ is separa- 
ble (thick solid line) . The various constraints that these param- 
eters satisfy are indicated by straight dotted lines. Specifically, 
(a) Eq. (b) Eq. <EU; (c) Eqs. JTSJ and The protocol 

operates along the solid lines. 

is attained for H = —1/3. It is also worth noting that, in 
contrast to BB84, in the six-state protocol there is only 
one disentanglement threshold since for D > 2/3 the pro- 
tocol is not valid. 

As expected, the bound for the six-state protocol is 
higher than the one for the BB84 protocol. In fact, as a 
consequence of the high symmetry of the six-state proto- 
col, the disentanglement area of the BB84 scheme (shaded 
region in Fig.QJ shrinks to a line in Fig. [21 (thick line). As 
will be seen later on, this "degeneracy" affects significantly 
the options of a potential eavesdropper in the framework 
of the six-state protocol, increasing thus the robustness of 
the protocol. 



4 The price of disentanglement 

In QKD issues, Eve's attack is usually optimized by maxi- 
mizing her Shannon information (or the probability of her 
guessing correctly Alice's bit-string) conditioned on a fixed 
disturbance. Given, however, that the unconditional secu- 
rity of the BB84 and six-state cryptographic schemes is 
beyond doubt, Eve might be willing to reduce the robust- 
ness of the protocols to the lowest possible level while si- 
multaneously maximizing any of her properties |19|. Thus, 
what remains to be clarified now is the cost at which Eve 
can saturate the lowest disentanglement threshold D t h, in 
terms of her information gain and probability of correct 
guessing. To this end, we have to consider in detail the 
eavesdropping attack on the BB84 and the six-state pro- 
tocols. 

Such an investigation, however, is practically feasible 
only in the context of attacks on a few qubits. As the num- 
ber of attacked qubit-pairs increases the complete treat- 
ment of the problem becomes intractable due to the large 
number of independent parameters involved. In this sec- 
tion we will focus on incoherent and two-qubit coherent at- 
tacks. The disentanglement of Alice and Bob in the frame- 
work of incoherent attacks has been extensively studied in 



however, Eve's attack is by default optimized to provide 
her with the maximal Shannon information. On the con- 
trary, here we give Eve all the flexibility to adjust her 
parameters in order to break entanglement between Alice 
and Bob and simultaneously maximize her properties. Fi- 
nally, for the two QKD protocols under consideration, we 
are not aware of any related previous work on disentan- 
glement in the context of coherent attacks. 



4.1 BB84 protocol 



4.1.1 Incoherent attacks 

Incoherent attacks belong to the class of the so-called 
single-qubit or individual attacks, where Eve manipulates 
each transmitted qubit individually. To this end, she at- 
taches a single probe (initially prepared in e.g. state \0e)) 
to each transmitted qubit and lets the combined system 
undergo a unitary transformation of the form |13II37II38| 



\0b) ® \0e) VF |0 fl ) ® |^o) + VD \1 B ) ® \0 O ), 
|lfl><8> \0 E ) ->VF|1b}<8> |0i> + VD \0 b ) ® |0i),(29) 

with F and D being the fidelity and disturbance respec- 
tively, while \(f>j) and \6j) are normalized states of Eve's 
probe when Bob receives the transmitted qubit undis- 
turbed (probability F) and disturbed (probability D) , re- 
spectively. Applying unitarity and symmetry conditions 
on this transformation one finds that the states \<pj) are 
orthogonal to the states \9j) (j G {0, 1}), while the over- 
laps (</>o|0i) and (8q\6i) are real-valued |1HUH7|I3H| . Thus, 
an incoherent attack can be described by the four pa- 
rameters satisfying Eqs. lJTfi)l. fTT)) (fT£|l and {EH with 
H = -F((j> Q \(f>i) and G = -D{6 Q \di). In other words, 
there are only two independent parameters and by fixing 
one of them, say D, one is able to determine any prop- 
erty of the attack. In Figs. 03 we present Eve's optimal 
information gain and probability of success in guessing 
the transmitted qubit correctly as functions of the distur- 
bance (solid line). The optimization is performed in the 
usual way, i.e. for a fixed disturbance D, Eve's mutual in- 
formation with Alice is maximized 13,38 . It is also known 
that such an optimized strategy disentangles the qubits of 
Alice and Bob at w 30% (vertical dotted line)[T7j. 
which is well above Dth = 25%. Thus, the natural ques- 
tion arises is whether, under the assumption of incoherent 
attacks, Eve can saturate the lowest possible disentangle- 
ment border Z) t h and if yes, at which cost of information 
loss. 

To answer this question, for a fixed disturbance D, we 
calculated numerically all the possible values of G and H 
which are consistent with the constraints (|16(l - (|19|l and 
which yield a separable state of Alice and Bob. In general, 
at any given disturbance there is more than one combina- 
tion of values of G and H which fulfill all these constraints. 
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Fig. 3. BB84 protocol — Incoherent attacks : (a) Eve's proba- 
bility of guessing correctly the transmitted message as a func- 
tion of disturbance D. The solid line corresponds to an attack 
that maximizes Eve's probability of success in guessing, while 
each square denotes the corresponding probability for an attack 
which in addition, disentangles Alice and Bob at the specific 
disturbance, (b) As in (a) but for Eve's information gain. The 
vertical dotted lines correspond to the solid curves, and denote 
the disturbance Z)' 1 ' ~ 30% up to which Alice and Bob share 
an entangled state. The vertical dashed lines denote the low- 
est disentanglement threshold disturbance D t h = 1/4 which 
can be attained in the context of general coherent attacks and 
intercept-resend strategies. 



For each of these combinations, we calculated Eve's infor- 
mation gain and her probability of correct guessing |131 
l3"5| . The results presented as squares in Figs. [31 refer to 
those combinations of parameters which, not only disen- 
tangle the two honest parties for a particular disturbance 
D, but which simultaneously maximize Eve's property as 
well. Clearly, for disturbances close to Dth, the two strate- 
gies are not equivalent since they yield substantially dif- 
ferent results. In other words, an optimal incoherent at- 
tack that maximizes Eve's information gain is certainly 
not the one which achieves the lowest possible robustness 
bound. Furthermore, our simulations show that saturation 
of Dth = 1/4 is feasible at the cost of ~ 4% less informa- 
tion gain of Eve or equivalently at the cost of ~ 7.44% 
less probability of success in guessing. 



4.1.2 Two-qubit coherent attacks 



In a two-qubit coherent attack, Eve attaches one probe 
to two of the qubits sent by Alice. Let |ms) with m G 
{0, 1, 2, 3}, be the message sent from Alice to Bob in bi- 
nary notation. The combined system then undergoes a 




(30) 



where £ is a 4 x 4 matrix which contains normalized states 
in the Hilbert space of Eve's probe 



vm> v^l<M n/7|xi) v^K 
V7lx2> V^lfo) VP\e 2 ) 
\V7lx3> v^Ns) VP\o 3 ) \<h)J 



The states (f>j, 9j, LUj and Xj denote Eve's probe states 
in cases in which Bob receives all the transmitted qubits 
undisturbed, one qubit disturbed or both transmitted qubits 
disturbed. 

Applying unitarity and symmetry conditions on Eq. 
(|30|l . the problem can be formulated in terms of the fol- 
lowing four mutually orthogonal subspaces |38| 



S<p = {00, 01, 02, 03>, 
So = {00, Ql, 02, 03}, 



S X = {X0, Xl, X2, X3j, 
<50 = {u>o, LOl, UJ 2 , w 3 }, 



while all the overlaps between the various states within 
each of these subspaces are real-valued. Thus, Eve is able 
to infer with certainty whether Bob has received both 
qubits undisturbed (S^), one qubit disturbed (S 1 ^) or 
both qubits disturbed (S x ). These events occur with prob- 
abilities a, 2/3 and 7, respectively. It can be shown that 
a general coherent two-qubit attack can be described in 
terms of five independent parameters |38[ . The average 
reduced density matrix for Alice and Bob is then of the 
form (JUJl, with F~a + f3,D~f3 + j,H = -(a(0 o |0i) + 
P(0 o \0 2 )),G = -( 1 (xo\xi)+(3(0o\0i)), satisfying the con- 
straints (CHI), 03), 13 and (U1J). 

Compared to an incoherent attack, a two-qubit coher- 
ent attack can improve the probability that Eve guesses 
correctly the whole two-bit message sent by Alice to Bob 
|38j . Eve's optimal probability of success in guessing is 
plotted in Fig. 0] (solid line), as a function of disturbance 
D. This curve has been obtained by maximizing Eve's 
probability of success in guessing conditioned on a fixed 
disturbance D. For such an optimal attack, we found nu- 
merically that Alice and Bob share entanglement up to 
disturbances of the order of « 28% (dotted vertical 
line). This is in contrast to the bound -D^ « 30% at- 
tained in an optimal incoherent attack. Furthermore, we 
also found that Eve is able to saturate the lowest possi- 
ble robustness bound (dashed vertical line) , at the cost of 
~ 3% less probability of success in guessing. This loss of 
Eve's probability in guessing is substantially smaller than 
the corresponding loss for incoherent attacks (~ 7.44%). 
Thus, it could be argued that a two-qubit coherent attack 
which is optimized with respect to the probability of guess- 
ing only, is very close to an optimal coherent attack which 
also disentangles Alice and Bob at Dth = 1/4. The reason 
is basically that in a two-qubit coherent attack each one 
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Fig. 4. BB84 protocol — Two-qubit coherent attacks : Eve's 
probability of guessing correctly a two-bit transmitted message 
as a function of disturbance D. The solid line corresponds to an 
attack that maximizes Eve's probability of success in guessing 
only, while each square denotes the corresponding probability 
for an attack that, in addition, disentangles Alice and Bob at 
the specified disturbance. The vertical dotted line corresponds 
to the solid curve, and denotes the disturbance I)' 2 ' w 28% up 
to which Alice and Bob share an entangled state. The vertical 
dashed line denotes the lowest possible disentanglement thresh- 
old disturbance D t h = 1/4 that can be attained in the context 
of general coherent attacks and intercept-resend strategies. 



of the two independent macroscopic parameters G and H 
can be expressed in terms of two different overlaps whereas 
in incoherent attacks the corresponding dependences in- 
volve a single overlap only. In a coherent attack Eve has 
therefore more possibilities enabling her to push the dis- 
entanglement border towards the lowest possible value, 
while simultaneously maximizing her probability of guess- 
ing correctly the transmitted message. 



4.2 Six-state protocol 

So far, we have considered incoherent and coherent at- 
tacks in the context of the BB84 protocol where Eve's at- 
tack is determined by a set of two macroscopic parameters 
(G, H). These two independent parameters give a consid- 
erable flexibility to Eve since at a given disturbance there 
exists a variety of physically allowed attacks. This fact is 
also reflected in Fig. ^ where, for a specific disturbance, 
Alice and Bob can be disentangled for different values of 
H (and therefore of G). 

In the highly symmetric six-state protocol, however, 
the situation is much simpler. In fact, the high symme- 
try of the protocol reduces significantly the options of an 
eavesdropper since there is only one independent macro- 
scopic parameter in our problem, namely H. Moreover, 
the analysis of the attacks under consideration becomes 
rather straightforward |39j. In particular, for incoherent 
attacks G = —D(8q\8i) = which indicates that Eve has 



full information about the disturbed qubits received by 
Bob. However, as depicted in Fig. [3 at a given value of 
D there is a unique value of H consistent with the laws 
of quantum mechanics. It is determined by Eqs. Ijlfijl and 
(|28fl [line (c) in Fig. [2] . Similarly, for the two qubit coher- 
ent attack we have (xolxi) = (#o|#i) = and thus G = 0, 
whereas H = -(a(0o|0i)+/3<0 o |02)) = ~{a-j) = 2D-1. 
As a result, for both incoherent and two-qubit coherent at- 
tacks, the physically allowed attack is the one that max- 
imizes Eve's probability of guessing and simultaneously 
disentangles Alice and Bob at a given disturbance. It is 
sufficient for Eve therefore to optimize her attack with 
respect to her probability of correct guessing in order to 
disentangle Alice and Bob at the lowest possible distur- 
bance. 



5 Entanglement and intrinsic information 

So far, we have discussed for both the four- and six-state 
protocols the maximal disturbance up to which Alice and 
Bob share entanglement. Clearly, this bound indicates that 
in principle secret-key generation is feasible by means of 
a quantum purification protocol. In this section we show 
that, at least in the context of incoherent attacks, a two- 
way classical protocol, the so-called advantage distilla- 
tion protocol, exists which can tolerate precisely the same 
amount of disturbance as a quantum purification protocol. 

To this end, we adopt Maurer's model for classical 
key agreement by public discussion from common infor- 
mation 0. Briefly, in this classical scenario, Alice, Bob 
and Eve, have access to independent realizations of ran- 
dom variables X, Y and Z, respectively, jointly distributed 
according to Pxyz- Furthermore, the two honest parties 
are connected by a noiseless and authentic (but otherwise 
insecure) channel. In the context of this model, Maurer 
and Wolf have shown that a useful upper bound for the 
secret-key rate S(X; Y\ \Z) is the so called intrinsic infor- 
mation I(X; Y I Z) which is defined as 



I(X;Y 



Z) = min{J(X 

z^z 



Y\Z)}, 



where I(X : Y\Z) is the mutual information between the 
variables X and Y conditioned on Eve's variable Z, while 
the minimization runs over all the possible maps Z — > Z 

For our purposes, we can link this classical scenario 
to a quantum one. More precisely, the joint distribution 
Pxyz can be thought of as arising from measurements 
performed on a quantum state |\&abe) shared between 
Alice, Bob and Eve. We have, however, to focus on inco- 
herent attacks where Eve interacts individually with each 
qubit and performs any measurements before reconcilia- 
tion. Thus, at the end of such an attack the three par- 
ties share independent realizations of the random vari- 
ables X, Y and Z. Accordingly, the resulting mixed state 
after tracing out Eve's degrees of freedom is of the form 
(O where H = -F(0 o |0i) and G = -D{9( S \6 1 ), It turns 
out 1|| that the random variables X and Y are symmet- 
ric bits whose probability of being different is given by 
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Prob[A Y] = D whereas Eve's random variable consists 
of two bits Z\ and Z2. The first bit Z\ = X Q>2 Z shows 
whether Bob has received the transmitted qubit disturbed 
(Zi = 1) or undisturbed (Z\ = 0). The probability that 
the second bit Z2 indicates correctly the value of the bit 
Y is given by 

Prob[Z 2 = Y] = 5 = Wl~ Wi) 2 . (31) 

As has been shown by Gisin and Wolf JS] , for the sce- 
nario under consideration secret key agreement is always 
possible iff the following condition holds 



— - < 2^T~5)~5. (32) 

More precisely, one can show that if the above condition is 
not satisfied, the intrinsic information vanishes whereas, 
in any other case there exists a classical protocol that can 
provide Alice and Bob with identical keys about which Eve 
has negligible information. Such a protocol, for instance 
is the so-called advantage distillation protocol which is 
described in detail elsewhere 

In our case now, considering that Eve has adjusted the 
parameters in her attack to disentangle Alice and Bob at 
the lowest possible disturbance, Eq. l|31[l yields for the two 
protocols 

f 3+|%/2 BB84 p ro tocol 
\ 2+ /^ six-state protocol. 

Using these values of 5 in Eq. I|32|) one then obtains bounds 
that are precisely the same with the threshold distur- 
bances for provable entanglement we derived in Section 
13 In other words we have shown that, as long as Alice 
and Bob are entangled, a classical advantage distillation 
protocol is capable of providing them with a secret key, 
provided Eve restricts herself to individual attacks only 
(see also [27)ll2*T] for similar results). 

This result is a manifestation of the link between quan- 
tum and secret correlations in both four- and six-state 
QKD protocols J22H23J ■ For the time being, the validity of 
this equivalence between classical and quantum distilla- 
tion protocols is restricted to individual attacks only. In- 
vestigations of tomographic QKD protocols have shown, 
however, that such an equivalence is invalid for coherent 
attacks |4*T] . 

6 Concluding remarks 

We have discussed provable entanglement in the frame- 
work of the BB84 and the six-state QKD protocols under 
the assumption of coherent (joint) attacks. In particular, 
we have shown that the threshold disturbances for prov- 
able entanglement are 1/4 and 1/3 for the four- and six- 
state QKD protocols, respectively. Perhaps surprisingly, 
these borders coincide with the disentanglement borders 
associated with the standard intercept-resend strategy |42l 



I43| . Here we have shown, however, that even the most 
powerful eavesdropping attacks (which are only limited 
by the fundamental laws of quantum theory) , are not able 
to push these disentanglement borders to lower distur- 
bances. In other words, for the two protocols under con- 
sideration, any eavesdropping attack which disentangles 
Alice and Bob gives rise to QBERs above 1/4 (BB84) 
and 1/3 (six-state). Hence, for estimated disturbances be- 
low these borders the two honest parties can be confident 
(with probability exponentially close to one) that their 
quantum correlations cannot be described in the context 
of separable states and can be explored therefore for the 
extraction of a secret key. 

In particular, for the entanglement-based versions of 
the protocols such a secure key can be obtained after ap- 
plying an EPP which purifies the qubit pairs shared be- 
tween Alice and Bob. Nevertheless, for the prepare-and- 
measure forms of the protocols the situation is more in- 
volved. To the best of our knowledge, the highest tolerable 
error rates that have been reported so far in the context 
of the prepare-and-measure BB84 and six-state schemes 
are close to 20% and 27%, respectively gEJ. These best 
records are well below the corresponding threshold distur- 
bances we obtained in this work. Thus, an interesting open 
problem is the development of prepare-and-measure pro- 
tocols which bridge the remaining gap and are capable of 
generating a provably secure key up to 25% and 33.3% 
bit error rates. In view of the fundamental role of en- 
tanglement in secret key distribution such a development 
appears to be plausible. For this purpose, however, con- 
struction of new appropriate EPPs with two-way classical 
communication, which are consistent with the prepare- 
and-measure schemes, is of vital importance. 

Furthermore, we have investigated the cost of infor- 
mation loss at which an eavesdropper can saturate these 
bounds in the context of symmetric incoherent and two- 
qubit coherent attacks. We have found that for the highly 
symmetric six-state scheme, there is always a unique eaves- 
dropping attack which disentangles Alice and Bob at a 
fixed disturbance (above 1/3) and simultaneously maxi- 
mizes Eve's information gain and/or probability of guess- 
ing. For the BB84 protocol, however, the situation is sub- 
stantially different. Specifically, an attack which maxi- 
mizes any of Eve's properties (information gain or proba- 
bility of success in guessing) is not necessarily also the one 
that yields the lowest possible robustness bound. In fact, 
if Eve aims at reducing the robustness of the BB84 proto- 
col she has to accept less information gain and probabil- 
ity of correct guessing. Nevertheless, our simulations show 
that for a two-qubit coherent attack this cost is substan- 
tially smaller than the cost for an incoherent attack. We 
conjecture therefore that, for coherent attacks on a larger 
number of qubits, the strategy that maximizes Eve's prob- 
ability of success in guessing, is also the one that defines 
the lowest possible disentanglement threshold. 

In closing, it should be stressed that the bounds we 
have obtained throughout this work depend on the post- 
processing that Alice and Bob apply. In particular, they 
rely on the complete omission of any polarization data 
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from the raw key that involve different bases for Alice 
and Bob as well as on the individual manipulation of each 
pair of (qu)bits during the post-processing. In other words 
only one observable is estimated, namely the disturbance 
or QBER. If some of these conditions are changed, also the 
threshold disturbances may change. In this context it was 
demonstrated recently that with the help of entanglement 
witnesses which are constructed from the data of the raw 
key, the detection of quantum correlations between Alice 
and Bob is feasible even for QBERs above the bounds we 
have obtained here 
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